XSS Sanitation / Protection?

[no-stack-dub-sack]

@bonham000 @Bigghead any thoughts?

[firgon000]

What is the threat?

[no-stack-dub-sack]

@firgon000 I don't know a whole lot about XSS, but @Bigghead mentioned it to me early on in this process. I would think people attempting to write scripts in our text areas where there is actually some room - bio, mentorship bio, etc.

Not sure what could actually be accomplished if someone did...

[bonham000]

Looking for @Bigghead's expertise on this one.

[Bigghead]

I've used something simple like express-sanitizer to get rid of script tags on the server.

Some of the things people can easily do with XSS:

• On the more harmless side, somebody can just write a setInterval alert script on a page, making it super annoying to load/unusable.

Or

• A user writes a window.open script that will automatically redirect to a malicious site on page load. Imagine if they got this script saved in their profile page's DB. Everybody that visits their profile gets redirected to a new site.

[Bigghead]

Or Helmet.js.

[bonham000]

@Bigghead @no-stack-dub-sack I think React helps sanitize input for us? Like I don't care what script you write in any of our inputs, but it will just show up as that string of text later on...? Try it out on the live demo app if you can window.open anything then we'll need to take a second look. I just tried a few things myself, nothing. Did find another chat bug tho. 😭 💀

[no-stack-dub-sack]

@Bigghead @bonham000

FCC Alumni Network CISO: Shav "Big Head" Parta

[Bigghead]

lolz

[Bigghead]

@bonham000 is right, I just read React helps prevents XSS, as they automatically escape certain html strings in inputs.

[bonham000]

React 👑

[Bigghead]

React is freakin awesome. That window.open trick broke my voting app the first time.

I don't think we should worry about XSS injections too much (at all) with this app

[bonham000]

MEEN Stack?